OpenClaw Plugin Installation Security Scan Bypass Vulnerability

A fail-open vulnerability has been identified in OpenClaw versions prior to 2026.3.31. This vulnerability occurs in the plugin installation process, where security scan failures do not prevent the installation of untrusted plugins. As a result, operators can inadvertently install potentially harmful plugins by ignoring visible scan warnings. The issue arises because the system allows installations to proceed despite critical security findings, creating a risk of executing malicious code or actions through the installed plugins.

Impact

Exploitation of this vulnerability can lead to the installation of untrusted plugins, which may contain harmful code or functionalities. In the case of OpenClaw, such plugins run in-process with the application's gateway, where they are treated as trusted code. This could allow for the execution of dangerous operations, such as shell command execution, under the guise of a legitimate plugin.

Reproduction

To reproduce this vulnerability, attempt to install a plugin or a skill that has been flagged by the security scan as containing dangerous code, such as a finding related to shell command execution. During the installation process, the scan warning can be ignored, and the installation will proceed despite the security risk.

Remediation

Users can update to OpenClaw version 2026.3.31 or later, where this vulnerability has been fixed.